Todolist Md Clawdbot
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its todo-file purpose, but its helpers request broad Google Drive access and store reusable Drive credentials, so it should be reviewed before use.
Install only if you are comfortable granting Google Drive access to the helper scripts. Prefer a dedicated Drive folder or account, verify the gog binary and OAuth setup, keep the refresh-token file protected, and review generated changes before applying write-back.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the helper can keep access to the user's Google Drive and use that access in later runs.
The helper requests the broad Google Drive OAuth scope and stores a reusable refresh token locally, giving the skill durable Drive account authority beyond a single Markdown file.
const scopes = ['https://www.googleapis.com/auth/drive']; ... const refreshTokenFile = args.refreshTokenFile || process.env.REFRESH_TOKEN_FILE || '/root/clawd/.secrets/todolist_drive_oauth.json';
Use a dedicated Google account or folder where possible, prefer a narrower OAuth scope if available, and review/delete the stored refresh-token file when access is no longer needed.
Running the helper with valid credentials can change the contents of a Drive todo file.
The helper can overwrite-update an existing Google Drive file by fileId. This is aligned with the todo write-back purpose, but it is a high-impact mutation capability.
method: 'PATCH', ... `https://www.googleapis.com/upload/drive/v3/files/${fileId}?uploadType=multipart`Run prepare/dry-run workflows first where available, keep backups or Drive revision history enabled, and review proposed edits before applying them.
The helper depends on and runs a local gog binary, including through sudo -u ubuntu in the shown command construction.
The Drive folder helper executes a local command to run the gog CLI. It uses an argument array rather than a shell string and is part of the documented Drive workflow, but users should still notice it.
const raw = execFileSync(cmd[0], cmd.slice(1), { encoding: 'utf8' });Confirm the gog binary path and account configuration before running the helper, and do not run it in a privileged environment unnecessarily.
A user may not realize from the registry requirements that setup requires an authenticated Drive CLI or Google OAuth credentials.
The registry metadata does not declare the gog CLI or OAuth-related environment/config inputs that the included scripts use. SKILL.md discusses gog and OAuth, so this is under-declaration rather than hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
The package should declare its optional/required Drive credentials, gog dependency, and expected token storage path in metadata.
Storage locations and file identity settings may be reused in later tasks.
The skill intends to retain storage configuration such as root folder IDs or local paths across runs. This is useful for the workflow but creates persistent context that should remain user-controlled.
Ask once, then persist the answers (in memory/config) for future runs.
Ensure the persisted configuration is visible, editable, and removable, especially if switching projects or accounts.